New Windows Vulnerability in Help System 576
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
Re:Does that matter if we don't have IE's exe file (Score:5, Interesting)
How else could it be so small?
To really get rid of IE you need to remove the DLL files that it uses, and you will break many other programs in the process. Because they all closely link to eachother.
Re:Privilege level (Score:3, Interesting)
Unfortunately, the default distribution of Windows is not setup this way, and is even discouraging it (especially in the Home version).
Afraid (Score:5, Interesting)
Re:MS (Score:2, Interesting)
Re:start the stopwatch... (Score:5, Interesting)
Mitigation? (Score:3, Interesting)
Re:Privilege level (Score:3, Interesting)
ie rants (Score:4, Interesting)
Besides, I really despise the "AppletTransition Sensor" that ESPN and other sites use. Screw `em. Just give me the dang HTML and, please, IE, just render it for me. No code, no scripts, no popups, no crap.
Websites that require JavaScript piss me off. The stupid Washington Post can't even render a page without JavaScript. What a terd.
Now, if only I could get IE to stop displaying the "Your browser doesn't allow ActiveX controls" message that pops up on pages where the designer used some crap control. I've made ActiveX controls and I *know* they can do anything they want on my system. Arg.
And wtf is with "install desktop items"? This is a *web* *browser*, not the control panel, for crying out loud.
And, last but not least, when I disable all this crap and then hit apply, it gives me a confirm warning message, but when I (because I need to use JavaScript on some crappy page) restore the default "cheap-whore-mode" settings, it doesn't say a word! Nice emphasis, Microsoft.
Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.
Anyhow, my feeling is that the desktop situation on Linux and BSD won't be solved until X is ditched completely. Just give me the dang screen buffer(s) and some basic routines and I'll draw my own shtuff. X is a 25-year-old terd, designed for machines with, like, 4k of memory (warning: hyperbole). Just give me font, line, point, ellipse, bitblt and friggin window data structures -- straight to the video card. And access to the video card reg's would be nice too.
End of Rant, enjoy your day.
Peace & Blessings,
bmac
Mod Parent UP! (Score:5, Interesting)
Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.
And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!
Re:MS (Score:4, Interesting)
try:
<img src=mailto:user@host?Subject=Something&Body=Fun>
on IE...
Re:Privilege level (Score:5, Interesting)
Right click on the IE/browser shortcut, select run as different user e.g. www_joe.
Then give www_joe permissions to joe's browser directories, or point the browser files to different folders in the registry/config files.
Of course this doesn't protect against shatter attacks etc.
So run IE in a VMware virtual machine and rollback after each session (copy out the data you want before that). VMware Workstation is now USD189 prev was USD299 or some high price.
Re:Use the RUNAS service (Score:3, Interesting)
It doesn't work as well as 'su -c xxx', I wish it did.
Re:Use the RUNAS service (Score:2, Interesting)
source code leak? (Score:2, Interesting)
is it, perchance, related to the recent windows source code leak?
K.
sims Re:Privilege level (Score:1, Interesting)
That is for the copy protection to work properly.
God.
Re:Mod Parent UP! (Score:2, Interesting)
As I dug into what the problem was I was amazed at how poorly designed AutoCAD AD was! Everytime it runs it wants to write registry data into HKLM\Software\Autodesk\.... instead of HKCU\Software\Autodesk\.... where it belongs. Now I thought I could work around this problem, by simply giving users write permission on the Autocad tree. Nope, not only where they trying write to HKLM, but they were opening the Software key, and writing from there (Open Software for writing, write Autodesk\AutoCAD AD\example) But even though the data being written is below the software key, you still can't open the Software key explicitly for writing. ARGG! And of course this problem was with the upgrade that was bought specifically because it was an upgrade for Windows XP! Autodesk didn't even seem to care...
Re:ie rants (Score:3, Interesting)
Yes, *every* window manager / windowing toolkit gives that functionality, but X's underlying layer is network-based, so getting the Display and Screen handles is a level of abstraction better done away with, IMO.
Peace & Blessings,
bmac
Re:Privilege level (Score:5, Interesting)
Works for me and you (Score:3, Interesting)
Re:start the stopwatch... (Score:5, Interesting)
It's too bad, really. I'm not at all impressed with what little MS has done with the format (it still strikes me as afterthought), but compiled HTML can be a blessing. Anyone with tens of thousands of HTML docs on their drive (a handful of O'Reilly books?), can appreciate the simplicity of a single file.
That doesn't work. (Score:3, Interesting)
The new problem there is your WHOLE DESKTOP is now running as Administrator. Remember to kill it and restart it as yourself when you're done.
Re:Use the RUNAS service (Score:2, Interesting)
Re:Windows has problems... (Score:5, Interesting)
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
I hate to break it to you, but anyone with the attitude you display is the problem, not a lack of user friendliness.
I have used linux since
I just did a fedora core 1 install. What a joke! Less questions, less knowledge required than a Windows install.
Even once you get it up and running it is smooth and easy to find what you want, vs. a standard kde install on another distro leaving you 40 choices for each type of functionality you'd like to use.
Here's the problem - any installation is somewhat of a barrier because most people do not install windows themselves - it comes on their computers. The steps being taken by Sun, Lindo(w)s, SuSe, Xandros, and others to get their distros defaulted on budget machines will get the familiarity and ease-of-use out there to the masses.
Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:
You're right. A friend is helping me bootstrap debian on a running machine I have nothing but net access to. Obviously a little tricky, but once you understand the basics, it's really reasonably easy. However, most Linux "power-users" would expect everyone to be able to do it.
Your examples with Quake show just why we need a common push for progress in this area, and the individual camps are making great strides, but there's needs to be a more unified effort to get better traction.
Re:In Linux-land... (Score:3, Interesting)
Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal...."
Very funny, and very true.
I learned my lesson the hard way. I GAVE someone an older machine fully configured and ready to go with Debian installed. I did this after they constantly complained to me how their two Windows systems were messed up. I suggested that they use Linux to at least do their web browding and e-mail and save the Windows machines for whatever special applications (preferably non-networked) that they had.
Instead, they reformatted the machine and installed Windows on it, and gave it to someone else. Talk about gratitude. I don't think they even bothered to try it.
Needless to say I don't offer much sympathy for them new when they can't get their CD burner to work or they are getting new pop-ups, or they can't turn their machine off because they are afraid that it won't boot right again (a problem they have regularly). "So sorry" I say. I'm just a simple Linux user who doesn't understand that sophisticated Windows stuff.
My rule now is not to help anybody who does not really want to be helped. Give them the system ready to go. Tell then the root password and advise them to either leave it at that or change it and write it down, put it in their wallet if they have to. I'd also set up an alternate account that I can get into (with their permission) using SSH so that I can avoid the type of conversation in your example.
Of course if they were using Suse and the Yast installer they wouldn't have that problem. Or they could use Debian and Kpackage, Lindows and its equivalent, Mandrake and its equivalent. The Linux installers are getting better and better while the Windows stuff is either standing still or taking steps backwards to thwart exposures.
By and large the Aunt Tillies of this world don't install applications anyway. What they want is an Internet appliance, and Linux pretty much gives them that. I think the jury is still out on whether home users in the future will even need an e-mail client program. I already know many who don't know how to read their mail with anything but a web-based interface like Yahoo, and they've never even heard of newsgroups. If Google follows through on their 1-Gig Inbox concept who know, they might offer several Gigs of online hard-drive next. Given that, I'm not sure the average Internet user even needs a real hard drive in their machine. The true internet appliance may be just around the corner, rendering the OS wars moot.
Re:MS (Score:4, Interesting)
It starts up mail! I can't believe it, it starts up mail! What an insecure piece of shit, I can't believe it! On firefox, when I view it
Oh wait, you wanted me to do it in IE? Oh yeah, that does it too.
Re:That doesn't work. (Score:3, Interesting)
Re:Privilege level (Score:3, Interesting)
Good for you. It doesn't work fine for a lot of other people. It would help if MS would implement some way to just let you type in a password without requiring two mouse clicks in the "Run as" dialog just to focus the password input box (which is grayed out by default).
Run as is usable for limited tasks, but I tried using WinXP as a non-administrator for a couple weeks and got so fed up with it that I just gave my account administrator privledges. Since I'm behind a firewall, don't run IIS, don't check mail on this machine, and don't use IE, I'm not too scared of viruses being able to delete (easily replaced) system files in addition to the personal documents that they could already mess with.
Uh, "Run As" *is* the "form of sudo".
In a very limited sense. Sudo can be set up to allow admin access to some programs by certain users without prompting for a password. Runas (at least in its GUI form) cannot.
Re:Mozilla not vulnerable (Score:3, Interesting)
Re:Windows has problemss... (Score:3, Interesting)
If Linux can't run a particular game out of the box, it doesn't hurt anyone. If Windows has a massive security hole, it costs businesses millions of dollars, clogs up the Internet with traffic, creates opportunities for spammers to make spam zombies, and exposes sensitive private data.
I just don't see how you can compare those two types of problems.
Very curious... (Score:4, Interesting)
I'm not sure which is more interesting - that Firefox allows it such a boneheaded thing or that Firefox allows it when Mozilla does not. Aren't both using the same version of Gecko (I'm assuming that this is a function that Gecko would handle)?